Date: Thu, 26 Jun 2008 17:37:30 GMT From: Rui Paulo <rpaulo@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 144157 for review Message-ID: <200806261737.m5QHbUD8038131@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=144157 Change 144157 by rpaulo@rpaulo_epsilon on 2008/06/26 17:36:41 Implement SEQ/ACK analysis for RST. Autocreate dump files. Kill print_packet() function. tcpdump does a much better job. Affected files ... .. //depot/projects/soc2008/rpaulo-tcpad/Makefile#9 edit .. //depot/projects/soc2008/rpaulo-tcpad/dumper.c#7 edit .. //depot/projects/soc2008/rpaulo-tcpad/dumper.h#5 edit .. //depot/projects/soc2008/rpaulo-tcpad/handler.c#13 edit .. //depot/projects/soc2008/rpaulo-tcpad/helper.c#2 edit .. //depot/projects/soc2008/rpaulo-tcpad/tcpad.h#9 edit .. //depot/projects/soc2008/rpaulo-tcpad/timer.c#3 edit Differences ... ==== //depot/projects/soc2008/rpaulo-tcpad/Makefile#9 (text+ko) ==== @@ -1,8 +1,9 @@ -# $P4: //depot/projects/soc2008/rpaulo-tcpad/Makefile#8 $ +# $P4: //depot/projects/soc2008/rpaulo-tcpad/Makefile#9 $ PROG=tcpad SRCS=main.c device.c linkhdr.c handler.c helper.c dumper.c timer.c CFLAGS+=-DDEBUG -ggdb +CFLAGS+=-DDUMPER_PATH=\"dumpfiles/\" WARNS=5 LDADD=-lpcap ==== //depot/projects/soc2008/rpaulo-tcpad/dumper.c#7 (text+ko) ==== @@ -23,13 +23,14 @@ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/soc2008/rpaulo-tcpad/dumper.c#6 $ + * $P4: //depot/projects/soc2008/rpaulo-tcpad/dumper.c#7 $ */ #include <assert.h> #include <stdio.h> #include <string.h> #include <stdlib.h> +#include <unistd.h> #include <sys/queue.h> #include <pcap.h> @@ -60,10 +61,24 @@ * An error occured. Dump the packet list to a file. */ void -dumper_error(pcap_t *p, const char *path, struct dumppkth *head) +dumper_error(pcap_t *p, struct dumppkth *head) { + int i; pcap_dumper_t *pd; struct dumppkt *dp; + char path[128]; + + for (i = 0; i < 3000; i++) { + + snprintf(path, sizeof(path), "%s/dump%d.cap", DUMPER_PATH, + i); + if (access(path, W_OK) != 0) + break; + } + if (i == 3000) { + fprintf(stderr, "%s, %s is full!\n", __func__, DUMPER_PATH); + return; + } pd = pcap_dump_open(p, path); if (pd == NULL) { ==== //depot/projects/soc2008/rpaulo-tcpad/dumper.h#5 (text+ko) ==== @@ -23,7 +23,7 @@ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/soc2008/rpaulo-tcpad/dumper.h#4 $ + * $P4: //depot/projects/soc2008/rpaulo-tcpad/dumper.h#5 $ */ #ifndef _DUMPER_H_ @@ -41,7 +41,7 @@ void dumper_addpkt(struct dumppkth *head, const struct pcap_pkthdr *ph, const unsigned char *headers); -void dumper_error(pcap_t *, const char *path, struct dumppkth *head); +void dumper_error(pcap_t *, struct dumppkth *head); void dumper_free(struct dumppkth *head); ==== //depot/projects/soc2008/rpaulo-tcpad/handler.c#13 (text+ko) ==== @@ -23,7 +23,7 @@ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/soc2008/rpaulo-tcpad/handler.c#12 $ + * $P4: //depot/projects/soc2008/rpaulo-tcpad/handler.c#13 $ */ #include <stdio.h> @@ -37,6 +37,7 @@ #include <netinet/ip.h> #include <netinet/tcp.h> #include <netinet/tcp_fsm.h> +#include <netinet/tcp_seq.h> #include <arpa/inet.h> #include <pcap.h> @@ -48,8 +49,6 @@ #include "debug.h" -static void print_packet(const unsigned char *bytes, const int linkhlen); - void tcpad_pcaphandler(unsigned char *user, const struct pcap_pkthdr *ph, const unsigned char *bytes) @@ -74,7 +73,6 @@ if ((tcp->th_flags & TH_FLAGS) == TH_SYN) { if (cp) { DPRINTF("connection already being tracked!\n"); - print_packet(bytes, linkhlen); LIST_REMOVE(cp, entries); free(cp); } @@ -83,13 +81,13 @@ cp->dport = tcp->th_dport; cp->sport = tcp->th_sport; cp->isv6 = 0; + cp->iss = tcp->th_seq; memcpy(&cp->sv4addr, &ip->ip_src, sizeof(struct in_addr)); memcpy(&cp->dv4addr, &ip->ip_dst, sizeof(struct in_addr)); DPRINTF("tracking (syn) connection between %s and ", inet_ntoa(cp->sv4addr)); DPRINTF("%s\n",inet_ntoa(cp->dv4addr)); LIST_INSERT_HEAD(&tcpchead, cp, entries); - print_packet(bytes, linkhlen); /* * Packet list. Only one per connection. @@ -106,7 +104,6 @@ } if (cp) { DPRINTF("connection already being tracked!\n"); - print_packet(bytes, linkhlen); LIST_REMOVE(cp, entries); free(cp); } @@ -115,13 +112,13 @@ cp->dport = tcp->th_dport; cp->sport = tcp->th_sport; cp->isv6 = 0; + cp->irs = tcp->th_seq; memcpy(&cp->sv4addr, &ip->ip_src, sizeof(struct in_addr)); memcpy(&cp->dv4addr, &ip->ip_dst, sizeof(struct in_addr)); DPRINTF("tracking (syn/ack) connection between %s and ", inet_ntoa(cp->sv4addr)); DPRINTF("%s\n",inet_ntoa(cp->dv4addr)); LIST_INSERT_HEAD(&tcpchead, cp, entries); - print_packet(bytes, linkhlen); /* rcp->pktshead should have been already malloc'ed and initted */ @@ -137,7 +134,6 @@ cp->t_state = TCPS_ESTABLISHED; rcp->t_state = TCPS_ESTABLISHED; DPRINTF("established\n"); - print_packet(bytes, linkhlen); } if (cp->t_state == TCPS_ESTABLISHED && rcp->t_state == TCPS_FIN_WAIT_1) { @@ -160,7 +156,6 @@ if (cp->t_state == TCPS_ESTABLISHED) { cp->t_state = TCPS_FIN_WAIT_1; DPRINTF("fin_wait_1\n"); - print_packet(bytes, linkhlen); } if (cp->t_state == TCPS_CLOSE_WAIT && rcp->t_state == TCPS_FIN_WAIT_2) { @@ -174,46 +169,19 @@ } } else if ((tcp->th_flags & TH_FLAGS) == (TH_RST|TH_ACK)) { if (rcp && rcp->t_state == TCPS_SYN_SENT) { - DPRINTF("stopped tracking connection (rst) between" - " %s and ", inet_ntoa(rcp->sv4addr)); - DPRINTF("%s\n",inet_ntoa(rcp->dv4addr)); - print_packet(bytes, linkhlen); - LIST_REMOVE(rcp, entries); - free(rcp); - } - } -} -static void -print_packet(const unsigned char *bytes, const int linkhlen) -{ - const struct ip *ip; - const struct tcphdr *tcp; + dumper_addpkt(rcp->pktshead, ph, bytes); - return; - - ip = (const struct ip *)linkhdr_remove(bytes, linkhlen); - tcp = (const struct tcphdr *)linkhdr_remove(bytes, - linkhlen + sizeof(struct ip)); + if (SEQ_GEQ(tcp->th_seq, rcp->irs) && + SEQ_LEQ(tcp->th_seq, rcp->irs + rcp->rcv_wnd)) { - printf("IP %s.%d > ", inet_ntoa(ip->ip_src), - ntohs(tcp->th_sport)); - printf("%s.%d: ", inet_ntoa(ip->ip_dst), - ntohs(tcp->th_dport)); - - if (tcp->th_flags & TH_FIN) - printf("F"); - if (tcp->th_flags & TH_SYN) - printf("S"); - if (tcp->th_flags & TH_RST) - printf("R"); - if (tcp->th_flags & TH_ACK) - printf("."); - if (tcp->th_flags & TH_URG) - printf("U"); - if (tcp->th_flags & TH_PUSH) - printf("P"); - if (tcp->th_flags & TH_ECE) - printf("E"); - printf("\n"); + DPRINTF("stopped tracking connection (rst) between" + " %s and ", inet_ntoa(rcp->sv4addr)); + DPRINTF("%s\n",inet_ntoa(rcp->dv4addr)); + LIST_REMOVE(rcp, entries); + free(rcp); + } else + dumper_error(p, rcp->pktshead); + } + } } ==== //depot/projects/soc2008/rpaulo-tcpad/helper.c#2 (text+ko) ==== @@ -23,13 +23,14 @@ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/soc2008/rpaulo-tcpad/helper.c#1 $ + * $P4: //depot/projects/soc2008/rpaulo-tcpad/helper.c#2 $ */ #include <stdio.h> #include <string.h> #include <sys/queue.h> #include <netinet/in.h> +#include <netinet/tcp.h> #include <pcap.h> #include "helper.h" ==== //depot/projects/soc2008/rpaulo-tcpad/tcpad.h#9 (text+ko) ==== @@ -23,13 +23,15 @@ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/soc2008/rpaulo-tcpad/tcpad.h#8 $ + * $P4: //depot/projects/soc2008/rpaulo-tcpad/tcpad.h#9 $ */ #ifndef _TCPAD_H_ #define _TCPAD_H_ #include <netinet/in.h> +#include <netinet/tcp.h> +#include <netinet/tcp_seq.h> pcap_t *p; @@ -39,12 +41,23 @@ struct in_addr dv4addr; unsigned short dport; unsigned short sport; + + /* TCP internal variables, from tcpcb */ int t_state; /* TCP FSM state */ + tcp_seq snd_una; + tcp_seq snd_max; + tcp_seq snd_nxt; + tcp_seq snd_up; + tcp_seq iss; + tcp_seq irs; + tcp_seq snd_wnd; + tcp_seq rcv_wnd; + int isv6; struct dumppkth *pktshead; struct tcpc *rcp; + }; LIST_HEAD(tcpchead, tcpc) tcpchead; - #endif /* _TCPAD_H_ */ ==== //depot/projects/soc2008/rpaulo-tcpad/timer.c#3 (text+ko) ==== @@ -23,7 +23,7 @@ * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/soc2008/rpaulo-tcpad/timer.c#2 $ + * $P4: //depot/projects/soc2008/rpaulo-tcpad/timer.c#3 $ */ #include <stdio.h> @@ -33,6 +33,7 @@ #include <sys/queue.h> #include <sys/time.h> #include <netinet/tcp_fsm.h> +#include <netinet/tcp.h> #include "debug.h" #include "tcpad.h"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200806261737.m5QHbUD8038131>